OT Security Posture Scorecard
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated purpose, but an included test script disables TLS certificate verification while sending the API key and assessment data.
Review before installing. Only use this skill if you are comfortable sending OT/ICS security posture details to ToolWeb, protect the TOOLWEB_API_KEY carefully, and avoid running scripts/test-api.sh until the curl -k option is removed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user runs the test script on an untrusted network, their API key and assessment request could be exposed or tampered with.
The -k option disables TLS certificate validation while the script sends the ToolWeb API key and assessment payload to a remote HTTPS endpoint, increasing exposure to interception or endpoint impersonation.
RESPONSE=$(curl -sk ... -H "X-API-Key: $TOOLWEB_API_KEY" ...)
Remove the -k option, use normal certificate validation, and rotate the API key if it was used with the insecure test script.
Users may disclose information about critical infrastructure security posture, tooling, and gaps to a third-party service.
The skill sends user-provided OT/ICS environment, tooling, and security concern details to the ToolWeb provider API. This is disclosed and purpose-aligned, but the data can be sensitive.
POST https://portal.toolweb.in:8443/security/itotassessor ... "org_name" ... "ot_technologies" ... "it_tools" ... "threat_concern" ... "compliance"
Use only if the organization approves sending this information to ToolWeb, and minimize or anonymize sensitive operational details where possible.
Anyone who can read the configured key could use the user's ToolWeb account or consume paid API quota.
The skill requires a provider API key stored in OpenClaw configuration or environment. This is expected for the API integration, but it is still a credential with account and quota impact.
"env": { "TOOLWEB_API_KEY": "your-api-key-here" }Store the API key using the safest secret-management option available, limit access to the OpenClaw config, and rotate the key if exposed.